An ERM horror story
This week, I was working with the SOX team of a large US-based financial institution. At one point, the senior executive and leader of the team asked me something I had never heard before.
“Our ERM team wants me to provide them a number they can include in their calculation of the company’s residual risk. This is something, they say, is required by the regulators. What do you think of that?”
I have to admit to being stunned. Silent.
Then I couldn’t hold it in any more.
“It’s stupid!” I blurted out.
ERM at this organization sounds like something from a 1920’s horror movie.
How could anybody believe there is value in a single number ‘residual risk’ for a large organization?
Does it make sense to aggregate risk levels for a variety of risk sources, including cyber, compliance, credit, liquidity, competitor, and internal control over financial reporting?
Does that help management make any decision? How is it actionable?
Does it help the regulator understand whether management is putting the interests of stakeholders in jeopardy?
What I will bet is happening is this:
- Each type of risk at the organization (including but perhaps not limited to those I listed above) are individually assessed. They use a single number for the potential impact (in other words, they…
